Preventing System Abuse
In an age when a single MP3 or graphic image download can land a company in court, taking control of an enterprise's Web browser can become as important as paying taxes. And that's not even counting the potential for a single user to invite in malicious code that could cripple a network or the time employees can waste on non-work-related Web surfing.
Fortunately, deploying a content-filtering solution can be relatively straightforward thanks to the arrival of appliances that avoid the need for client-based software and rely on content analysis rather than simple blacklists to do their work. The first step in deploying a solution is selecting the right product, and appliances are definitely the way to go.
Solution providers should be careful even when selecting dedicated appliances, though. In the past couple of years, vendors in the security space have added Web-content-filtering software just to add more capabilities to their security appliances without selling effective filtering technologies.
For one thing, content-filtering products that rely on blacklists can never keep up with the number of objectionable sites that pop up every day. Proxy servers also can easily fool list-based tools by hiding IPs. And savvy users can render blacklist tools useless by using Internet proxies to reach any site—a method made even easier by the emergence of RSS and an abundance of news reader applications.
"Blacklists are always behind the curve, and so far behind the curve that a company can get burned very easily," said Jon Johnson, president of U.S. Transport Services, Clovis, Calif., a reseller of ContentWatch's ContentProtect appliance. "This appliance keeps you up as close to the edge as possible. I've never seen a solution get closer."
Tools like ContentProtect use regular expressions and Boolean heuristics to categorize content. These tools use weighting values for words and phrases and can either block an individual page or an entire site. Such tools also block users from viewing pages at the port level, so proxies and caching tools cannot bypass them.
Such content-based appliances are not only smarter and easier to manage than list-based tools, but as off-server devices, they provide the advantage of filtering Web content without degrading system performance or bandwidth.
"You eliminate any potential breaking of applications or databases or slowing down the network," said Jeremy Simmons, president and CEO of Asierus, a South Jordan, Utah-based solution provider and another ContentWatch partner. "As an appliance, it's fast, it's reliable and there's no way to hack around it. It still filters what's coming through."
Another important consideration is the product's flexibility. If an employer wants, for example, to prevent his employees from illegally downloading MP3 music files, but wants them to have access to instructional podcasts in MP3 format, administrators need to be able to grant permission on the fly.
While in some ways not as accurate as a list-based system, content-filtering schemes are effective if values are configured correctly. However, Internet filtering heuristics and value schemes are usually determined by vendors, and algorithms are tightly held secrets so solution providers have little ability to tune them. To reduce false positives, most vendors incorporate user-configurable whitelists.
For the most part, most content-filtering vendors are still providing simple client-based software. In addition to ContentWatch, vendors such as SonicWall, Barracuda Networks and ICE Systems are among those offering dedicated appliances, while Astaro has added content filtering to its security appliance.
For the purpose of this article, the CRN Test Center decided to deploy ContentProtect, the flagship product of ContentWatch, Salt Lake City, which has a reputation for having a very accurate content-analysis engine.
In addition, ContentWatch's appliance arrived with time-management features, reporting capabilities, port filtering and the ability to create blacklists and whitelists.
NEXT: More on ContentWatch's ContentProtect Here are the steps for installing, integrating and running ContentWatch's ContentProtect:
Installing The Appliance
ContentWatch created a single point of administration for the appliance as well as for client machines using the ContentProtect software, so deployment only takes a few minutes on any network.
ContentWatch designed the appliance as an inline device that resides at the edge of a gateway behind a firewall. If VARs need to deploy multiple appliances to reduce traffic on large corporate networks, each appliance should be installed on separate subnets before a network switch or hub.
After a simple registration procedure, VARs enter a ContentWatch-managed data center site for remote Web administration. The appliance requires no internal support since it uses a pull technology that applies new settings created at the ContentWatch administration site. The appliance has different built-in timers for various settings, including features to update the operating system and its core engine. ContentProtect clients also use the pull technology.
After creating an account and activating the server, ContentWatch automatically creates a CPProServer001 group on the left-hand side of the administration interface. By clicking on the default group, all the PCs connected to the appliance are listed by IP addresses. By clicking on an IP address, administrators can change the display names. This is a useful feature when tracking user activity.
For mobile workers, plug-in software can be installed on the client that gives them the same profile and capabilities as when they are working on the company network. When they connect to the network, the appliance detects their presence and overrides the client plug-in, thus avoiding double filtering.
Adding New Policies
The appliance uses a flexible, policy-based security architecture to manage users. VARs can use the policy page, to set up policies for entire organizations, groups and individual users, including IT administrators. Policies applied at any group or individual level override inherited policies from higher levels. By leaving a policy drop-down box as "None," a group or individual automatically inherits a policy from the next highest level.
The policy interface is straightforward. On the right-hand side, the policy page shows what policy is being used in each Web category. Only three choices are available: Allow, Block and Warn. The policy page also displays administrative privileges for that policy, additional access to other ports and what reporting activity is being tracked. The appliance can block all Web ports, including P2P, newsgroups and instant messaging.
Setting Notifications
The appliance can send e-mail notifications to administrators, organizations, groups and end users whenever it intercepts users attempting to access restricted sites. Choices for notifications coincide with the Block and Warn policy options, allowing administrators to select what they want to see for each user. In addition, administrators can receive notifications when users override policies. However, only users with override options in their policies have the ability to circumvent policies. Administrators also can receive requests for overrides. This is a useful feature whenever users make new requests to change categories for blocked sites.
NEXT: More on ContentWatch's ContentProtect Overriding Policies And Settings
In many cases, a content-filtering system will block news, medical or some other sites that contain graphic or hate language, but a company may want to allow its employees to be able to access those sites for business or other reasons.
That's where the Web overrides page, comes in. The ContentProtect appliance reviews Web overrides before it parses Web-page content, so any Web page or site listed in the override list bypasses the engine. Conversely, administrators can use the Web overrides list to block sites that would normally be allowed by the appliance.
Unfortunately, ContentProtect does not have an integrated message feature that would allow users to request an override from an administrator from within the browser. Rather, after receiving a block or warn message, they have to put the request in an e-mail. The client plug-in software, though, does have an integrated message feature.
Generating Reports
The appliance arrives with four basic activity reports viewed on the reports page. At the group level, administrators can generate a pie chart of Web categories filtered by the appliance. The first two reports generate summaries on each user or group activity. By clicking on a Web category in a report, administrators can drill down to individual users.
The appliance can produce reports listing sites attempted by each user, including blocked searches from any search engine. A count is also kept for each blocked attempt and the total time spent on each attempt. There is an option to generate reports with total hourly wages lost for each user. The data is stored at ContentWatch's data center and it is purged every 30 days.
Preventing Conflicts
The security page is used to allow programs on client PCs to reach the Web by placing them on a bypass list. Typically, administrators add antivirus programs, operating systems and programs that use the Web for updates.
The appliance also has an option for adding an Application Manager tool available in the ContentProtect Professional Suite. The suite is a separate purchase, so customers have to contact their resellers to activate the feature.
The Application Manager can enforce policies on executables, allowing administrators to designate which programs can and cannot run on a client. Like the content engine, the appliance uses the allow, block and warn options to monitor applications. The Application Manager agent runs on each client.
The Professional Suite also provides an antiphishing tool that warns users when accessing fraudulent Web sites. Through the appliance, administrators can set warning messages in ContentProtect clients running the antiphishing module.
Blocking Searches
When users conduct searches, the appliance's ranking categorization process works on every search page before it is displayed. All the data on a page is analyzed, including file names and metadata. Whenever users try using a filtered word or phrase on a search engine, the appliance displays a simple block message.
One drawback is that topics and words that do not fall under the appliance's 28 categories cannot be filtered. The appliance's heuristics is essentially a black box so the closest option administrators have available is the Web Override feature, which can block URLs but not specific content.
The Test Center found that ContentWatch has done a great job in simplifying management and configuration. The solution proved accurate and flexible without degrading performance. Solution providers considering adding content filtering to their solutions set will find appliances like ContentProtect make it relatively painless.